From 275bff189557ae70aba71bbbe885e480531db5a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Helen=20Hou-Sand=C3=AD?= Date: Wed, 1 Jul 2015 03:37:23 +0000 Subject: [PATCH] Fire the `check_admin_referer` action on failure as well as success. This enables things like logging nonce failures in the admin. props markjaquith. fixes #32207. Built from https://develop.svn.wordpress.org/trunk@33017 git-svn-id: http://core.svn.wordpress.org/trunk@32988 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/pluggable.php | 10 ++++++---- wp-includes/version.php | 2 +- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php index f0934588bd..1295282790 100644 --- a/wp-includes/pluggable.php +++ b/wp-includes/pluggable.php @@ -1091,10 +1091,6 @@ function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) { $adminurl = strtolower(admin_url()); $referer = strtolower(wp_get_referer()); $result = isset($_REQUEST[$query_arg]) ? wp_verify_nonce($_REQUEST[$query_arg], $action) : false; - if ( !$result && !(-1 == $action && strpos($referer, $adminurl) === 0) ) { - wp_nonce_ays($action); - die(); - } /** * Fires once the admin request has been validated or not. @@ -1106,6 +1102,12 @@ function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) { * 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago. */ do_action( 'check_admin_referer', $action, $result ); + + if ( ! $result && ! ( -1 == $action && strpos( $referer, $adminurl ) === 0 ) ) { + wp_nonce_ays( $action ); + die(); + } + return $result; } endif; diff --git a/wp-includes/version.php b/wp-includes/version.php index 4a8611c449..5db7f68c8d 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.3-alpha-33016'; +$wp_version = '4.3-alpha-33017'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.